Updating the ICO's Code of Practice on Data Sharing

The 2011 Information Commissioner’s Office Code of Practice on Data Sharing is to be updated following the introduction in 2018 of the new GDPR rules. As part of the initial process the Information Commissioner wishes to hear opinion from trade organisations, data subjects and those representing their interests.

The 2011 Code was intended for any data controller involved in the sharing of personal data, primarily with other data controllers. The following is an outline of some of the major issues covered by the Code.

The Code establishes a common framework to protect individuals’ rights, and sets out comprehensive guidelines. Organisations are encouraged to define why data is being shared. Clear objectives are needed, taking into account potential risks and benefits, to individuals and to society as a whole. It is not just about whether any individual might be damaged, but also the extent to which improper sharing undermines public confidence and trust. Careful and constant judgment must determine that only strictly necessary information is shared, and as an example the ICO points out that organisations dealing with service provision will not, under normal circumstances, require any data that is linkable to identifiable individuals.

The Code discusses the legal right to share as another factor. Deciding whether or not an organisation has a legal right to share data at all includes consideration of the nature of the data and of the legal nature of the organisation. Rules apply to all, but the exact nature of those rules has a certain degree of flexibility depending upon the circumstances. For example, a public sector body may be entitled to operate slightly differently from a private sector body.

Plentiful guidance is given on the need to provide accurate notification of data sharing agreements, which must include a description of the type of recipient with whom data is being shared (naming specific organisations is not necessary). Notification of any significant changes in circumstances must be given as soon as practical and at most within 28 days.

Where several organisations are sharing data each must be clear on their precise responsibilities. In readiness for the filing by any individual of a subject access request, to find out what personal data is being held within a group of organisations in a sharing agreement, the Code advises that one person or organisation within the group be responsible for ensuring that all of the held information is available on request. To reduce the potential number of such requests, a policy of openness about working methods is advised as it is hoped that helping individuals to feel reassured that their information is being handled responsibly in the first place is of primary importance. Any data sharing, even on a one-off basis, must be recorded accurately: what was shared, with whom, when, and why? Furthermore, was this done with the consent of the individual or not?

Sharing information with countries outside the EU is permissible only under certain circumstances, such as that country has “adequate” data security standards and the government’s legal requirements for such arrangements are met.

This is merely a brief sketch of a lengthy and important document. The great majority of the advice contained in it may not change all that much. The updated Code will continue to provide guidance and promote good practice, and will address the changes brought about by the GDPR and the Data Protection Act 2018. Case studies will provide additional context, but in addition to dealing with legislative change the ICO hopes that the new version will also cover issues raised by the advance of technology since 2011.